Cisco Cisco Email Security Appliance C160 Mode D'Emploi
26-31
Cisco AsyncOS 9.5 for Email User Guide
Chapter 26 LDAP Queries
Using LDAP For Directory Harvest Attack Prevention
Directory Harvest Attack Prevention within the Work Queue
You can prevent most DHAs by entering only domains in the Recipient Access Table (RAT), and
performing the LDAP acceptance validation within the work queue. This technique prevents the
malicious senders from knowing if the recipient is valid during the SMTP conversation. (When
acceptance queries are configured, the system accepts the message and performs the LDAP acceptance
validation within the work queue.) However, the Envelope Sender of the message will still receive a
bounce message if a recipient is not valid.
performing the LDAP acceptance validation within the work queue. This technique prevents the
malicious senders from knowing if the recipient is valid during the SMTP conversation. (When
acceptance queries are configured, the system accepts the message and performs the LDAP acceptance
validation within the work queue.) However, the Envelope Sender of the message will still receive a
bounce message if a recipient is not valid.
Related Topics
•
Configuring Directory Harvest Prevention in the Work Queue
To prevent Directory Harvest Attacks, you first configure an LDAP server profile, and enable LDAP
Accept. Once you have enabled LDAP acceptance queries, configure the listener to use the accept query,
and to bounce mail for non-matching recipients:
Accept. Once you have enabled LDAP acceptance queries, configure the listener to use the accept query,
and to bounce mail for non-matching recipients:
Figure 26-9
Configuring the Acceptance Query to Bounce Messages for Non-Matching Recipients
Next, configure the Mail Flow Policy to define the number of invalid recipient addresses the system will
allow per sending IP address for a specific period of time. When this number is exceeded, the system
will identify this condition as a DHA and send an alert message. The alert message will contain the
following information:
allow per sending IP address for a specific period of time. When this number is exceeded, the system
will identify this condition as a DHA and send an alert message. The alert message will contain the
following information:
The system will bounce the messages up to the threshold you specified in the mail flow policy and then
it will silently accept and drop the rest, thereby informing legitimate senders that an address is bad, but
preventing malicious senders from determining which receipts are accepted.
it will silently accept and drop the rest, thereby informing legitimate senders that an address is bad, but
preventing malicious senders from determining which receipts are accepted.
This invalid recipients counter functions similarly to the way Rate Limiting is currently available in
AsyncOS: you enable the feature and define the limit as part of the mail flow policy in a public listener’s
HAT (including the default mail flow policy for the HAT).
AsyncOS: you enable the feature and define the limit as part of the mail flow policy in a public listener’s
HAT (including the default mail flow policy for the HAT).
For example, you are prompted with these questions when creating or editing a mail flow policy in a
public listener’s HAT in the CLI — the
public listener’s HAT in the CLI — the
listenerconfig -> edit -> hostaccess -> default | new
commands:
LDAP: Potential Directory Harvest Attack from host=('IP-address', 'domain_name'),
dhap_limit=n, sender_group=sender_group,
listener=listener_name, reverse_dns=(reverse_IP_address, 'domain_name', 1),
sender=envelope_sender, rcpt=envelope_recipients
Do you want to enable Directory Harvest Attack Prevention per host? [Y]> y